When
As applicable.
Why
You finally got a weekend off and went to the beach. If you decided to run away permanently and take up surfing, could your backup run the show? It's your job as a responsible employee to make certain he can ensure smooth security operations. This is one area I rarely see covered in continuity of operations plans: key personnel absent for vacation or extended training.
Strategy
One method is to keep an informal log of typical activities over the course of a week or two. Divide them into two types of categories: routine and incidental. Make sure your deputy is comfortable handling all of the routine tasks, and then discuss strategies for handling special cases. Be sure to list things likely to crop up regularly like: reports, meetings, resetting accounts, virus updates and time card accounting. Delegate appropriate authority and temporary access permissions, if necessary. Things that crop up irregularly include visitors, virus attacks, creating new accounts and hacking incidents. Will your deputy attend a meeting in your place, or will you just not be present nor file a report that week? Of course someone is executing the daily checklist, so when you return, you'll have a quick activity summary to reference. If you run a help desk, you'll have logs to track open and closed items, and your e-mail inbox will tell you pretty much anything else that exploded while you were out. Depending on your corporate policy, be sure to set up an out-of-office auto-responder if you can. I've found people don't mind if you're gone, as long as they know; otherwise, they simply think you aren't being responsive. Your voicemail should have a similar reference, with a point of contact number to call if the message can't wait.
Want to do a dry run before actually departing the time zone? Try this: Agree with your boss that you're going to be working on a special project for one week, and during that time, your deputy is in charge of it all. All of it -- no cheating. Don't answer your phone, and leave a recorded message that refers people to your deputy. The deputy gets to find out what he doesn't know and gets credit for being in charge for a week. Between the two of you, you can discern who needs more training on what issues, and what communications processes need to be updated.
It's not vacation if you're checking your e-mail and voicemail daily; the point of not being at work is to get away from it all so that when you do return, you are refreshed and have new perspective and energy. Your family and friends will resent you if you're working while on vacation; work will resent you if you're constantly dealing with family and friends issues in the office. It sounds Zen, but it's really simple: Be where you are.
More information
This subject sounds deceptively straightforward but it actually covers multiple management topics: time management, delegation, training, continuity of operations and the psychological issues some people have about feeling irreplaceable. Frankly, nothing beats on-the-job training for this issue because it's a quintessential example of theory versus reality. Classes in management techniques, lessons-learned summaries, books and best industry practices are some places to start.
About the author
Shelley Bard, CISSP, CISM, is a senior security network engineer with Verizon Federal Network Systems (FNS). An information security professional for 17 years, Bard has briefed and written infosecurity assessments and technical reports for the White House and Department of Defense, special interest groups, industry and academia. Please e-mail any comments to mailto:securityplanner@infosecuritymag.com.
Opinions expressed in this column are those of Shelley Bard and don't necessarily reflect those of Verizon FNS.
Last week: New technical manager challenges and pitfalls
Next week: Privacy Impact Assessments
